Posted onSep 16, 2022

areBracesValid UDF for ColdFusion/CFML

Useful to determine if braces are correctly matched before processing. Helps reduce SQLi.

I was using a version ofsmartSearch fromCFLib.org that I had updated with some simple regex detection forSQLi strings, but it wasn't catching everything. I considered disabling thebracket matching feature and rejecting any query search terms that attempted to use( or), but then considered that I should validate so that the feature could still be used since it is beneficial when not being exploited.

I couldn't find any UDFs on CFLib or other ColdFusion/CFML snippets to validate brackets in a string.(If there's existing code, let me know. I wasn't able to find it.) I read a couple recommendations on StackOverflow indicating that it shouldn't be validated using regex, so I wrote a UDF that reduces & validates braces in a string and returns a Boolean response. This allows us to determine whether we can safely use the string when generating a SQL search string (or use1=0 as a fallback).

Source Code

https://gist.github.com/JamoCA/a35ffaabc00e0339a9996e27825159a7

Top comments(3)

Ben Nadel

Location
Rhinebeck, NY
Joined
Apr 3, 2019

• Sep 25 '22

Copy link

I was about to ask if you were usingcfqueryparam for your search; but, I just looked at the Smart Search UDF, and it looks like it uses some SQL generation, which somewhat rules-out the parameterization.

James Moberg

I’m a ColdFusion/CFML web application developer at SunStar Media located in Monterey, CA. I am a fan of technology, music and web development.

Location
Monterey, CA
Work
Web Applications Developer
Joined
Aug 18, 2017

• Oct 7 '22

Copy link

I use an internally updated version of SmartSearch. I've added logic to identify SQLi and return1=0 if any is detected. (I'm planning on sharing my UDF updates, but will be releasing it on a new CFML resource website that I'm building.)